Signing Windows INF only Drivers & WiX

This is probably the best write up of the process without needing to understand the full process:

I ended up signing my drivers with both a SHA1 and SHA256 certificate.

Installing drivers on Windows requires careful consideration of the architecture you are installing on.

You have to install the 32bit signed cat file on a 32bit version of the OS and you have to install the 64bit signed cat file on a 64bit version of the OS.

Attempting to install the 32bit version on a 64bit OS will result in an invalid signature warning (not documented anywhere though should have guessed given the command line to inf2cat).

Bit of a pain as I then needed a 64bit and 32bit MSI which is a little bit confusing for a lot of users. The only answer to this is to use a WiX burn bundle and choose which MSI package to install based on the architecture.

The installer I have been writing is localised for; English, French, German, Spanish, Mandarin.

The simplistic approach is to have an MSI for each translation, which means 10 MSI installers.

Burn makes this fairly straightforward to do, however the size of the installer increases a lot unless you are careful and share the CAB file.

The other approach is to apply a transform for each language to a base installer. I'm not too sure how to do this and the size of my installer means I'm going to avoid this until the customer says the installer is too big. Basically just do enough to complete the job!


  • INF only drivers can still be installed on Windows 10 without Microsoft signing them as well.
  • Pity the company David works for is in the States as I would probably buy a robot as a thank you. Still might ;> just the shipping costs double the purchase price.